SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.
#Change to root
su –
#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# Check the MD5 SUM of the download for security:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum chkrootkit.tar.gz
#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz
#Change to the directory it created
cd chkrootkit*
#Compile by typing
make sense
#To use chkrootkit, just type the command
./chkrootkit
#Everything it outputs should be ‘not found’ or ‘not infected’…
Important Note: If you see ‘Checking `bindshell’… INFECTED (PORTS: 465)’ read on.
I’m running PortSentry/klaxon. What’s wrong with the bindshell test?
If you’re running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test
(ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp,
31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).
#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz
Daily Automated System Scan that emails you a report
While in SSH run the following:
pico /etc/cron.daily/chkrootkit.sh
Insert the following to the new file:
#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s “Daily chkrootkit from Servername” [email protected]
Important:
1. Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
2. Change ‘Servername’ to the server your running so you know where it’s coming from.
3. Change ‘[email protected]’ to your actual email address where the script will mail you.
Now save the file in SSH:
Ctrl+X then type Y
Change the file permissions so we can run it
chmod 755 /etc/cron.daily/chkrootkit.sh
Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/
./chkrootkit.sh
You’ll now receive a nice email with the report! This will now happen everyday so you don’t have to run it manually.